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Abstract- This paper presents a new identity based strong designated verifier parallel multi- 
proxy signature scheme. Multi-Proxy signatures allow the original signer to delegate his signing 
power to a group of proxy signers. In our scheme, the designated verifier can only validate 
proxy signatures created by a group of proxy signer. 

1. INTRODUCTION 

Shamir [8] in 1985 introduced the concept of identity(ID) based cryptosy stems where, a users public 
key is derived from his identity and the corresponding private key is generated by a trusted third party 
called the Private Key Generator (PKG). ID based cryptosystems are advantageous over the traditional 
public key cryptosystems (PKC) as they avoid the need of certified public key register. 

Jakobsson et al [4] presented the concept of designated verifier signatures (DVS) in 1996. In DVS, the 
signer specifies a designated verifier who can only determine the validity of the signatures. However, 
the verifier in general is not able to convince other parties on the validity of the signatures, because he 
himself is able to produce the indistinguishable signatures. Sadeenia et al [6] added the concept of 
sfrongness in DVS that forces the designated verifier to use his secret key at the time of verification. 
When only two (unknown to each other) users can verify the signatures, the scheme is said to be bi- 
designated scheme [7]. 

In day-to-day life, many legal documents require signatures from more than one party. To meet these 
requirements, cryptography provides a mechanism known as multi-signatures proposed by Itakura et al 
[3] in 1983. A multi- signature provides multiple signers to generate a valid signature for a single 
message. Based on the nature of applications, the multi-signatures are categorized into two types: serial 
multi-signature and parallel multi-signature. In serial multi-signature, a signer signs the message and 
sends it to the next signer for further processing; the next signer after verifying his predecessor's 
signature, signs the received components. The serial multi-signature generation is considered to be 
complete when the last signer signs the message. In case of parallel multi-signature, the signature of 
each signer is carried out on the message itself but not on the signatures of the other signers. In order to 
complete the parallel multi-signature generation, a designated clerk combines all the individual 
signatures after verifying them. 
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Proxy signatures proposed by Mambo et al [5] is a variation of normal signature schemes, in which an 
original signer delegates his signing power to another signer called the proxy signer. The signature 
generated by the proxy signer is called the proxy signature for the original signer. But in some practical 
applications, the original signer may delegate his signing power in a distributive manner to all members 
of a group of specified proxy signers ensure individual accountability of each participant signer. The 
proxy signatures are obtained by combining (serially or parallel) all such signatures. Such a signature is 
called multi-proxy signature scheme. This was first proposed by Hwang et al [2] in 2001. The signature 
generated by the specified proxy signer is called the multi-proxy signature for the original signer. 

In this paper, we propose an ID based strong designated verifier parallel multi -proxy signature 
scheme. Our scheme is the based on the ID based multi-proxy signature scheme proposed by Chen et al 
[1]. In the proposed scheme, the designated verifier can only verify the multi -proxy signature generated 
by a group of proxy signers and he cannot convince any third party about the validity of the signatures. 
To the best of our knowledge there is no existing scheme on this concept. 

The rest of the paper is organized as follows: some definitions and preliminary works are given in 
section 2. Section 3 contains the model of the proposed ID based strong designated verifier parallel 
multi-proxy signature (ID-SDVPMPS) scheme and in section 4 we propose the ID-SDVPMPS. The 
security and the computational efficiency of the scheme is discussed in section 5 and 6 respectively. 
Finally, section 7 concludes the paper with applications. 



2. SOME DEFINITIONS 

In this section, we define bilinear pairings, various Diffie-Hellman problems and gap Diffie-Hellman 
group. 

1) Bilinear pairings 

Let Gjhea cyclic additive group with generator P, whose order is a large prime number q and G2 be a 
cyclic multiplicative group with the same order q. Let e: Gi^Gi^ G2hG a map with the following 
properties: 

Bilinearity: e (aP, bQ) = e(P, ^ P, Q ^ Gi and a,b ^ Z*. 
Non-degeneracy: ^ P, Q ^ Gi, such that e (P, Q) ^ 1, the identity of G2. 

Computability: There is an efficient algorithm to compute e (P, Q) ^ P, Q ^ Gj. 

Such pairings may be obtained by suitable modification in the Weil-pairing or the Tate-pairing on an 
elliptic curve defined over a finite field. 

2) Gap Diffie-Hellman Group 

Discrete Logarithm Problem (DLP): Given Q ^ Gj, find an integer a ^ Zq , such that Q = aP, P is a 
generator of Gi. 

Decisional Diffie-Hellman Problem (DDHP): Given P, aP, bP, cP in Gi, decide whether c = ab mod q. 
Computational Diffie-Hellman Problem (CDHP): Given P, aP, bP, compute abP 
Bilinear Diffie-Hellman Problem (BDHP): Given P, aP, bP, cP compute e(P, Pf^\ 
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Gap Difjie-Hellman group (GDHP): A class of groups, where DDHP can be solved in polynomial time 
but no probabilistic algorithm exists that can solve CDHP in polynomial time. 

3. MODEL FOR THE PROPOSED ID-SDVPMPS SCHEME 

In this section we define the phases through which our scheme is generated. Our scheme has five phases 

described as follows: 

• Setup: Given security parameter k, this algorithm outputs the public parameters. 

• Key generation: Given a user identity and the public parameters, this algorithm computes secret key 
of the user and the public key of the user's. 

• Proxy key generation: Given original signer's secret key, secret key of the original signer group, 
public key of the designated verifier, warrant on message 'm' and some random numbers, it outputs 
the proxy key of each proxy signer. 

• Multi-Proxy Signature Generation: Given proxy signing keys of the signing group, random 
numbers, public key of the designated verifier and warrant on message 'm', it outputs the multi- 
proxy signature on message 'm'. 

• Multi-Proxy Signature Verification: Given designated verifier secret key, signature cron message 
'ot' it outputs whether cris rejected or accepted. 

4, PROPOSED ID-BASED STRONG DESIGNATED VERIFIER PARALLEL MULTI-PROXY 
SIGNATURE SCHEME 

The proposed scheme involves five roles: the private key generator (PKG), the original signer Alice, a 
set PS = {Pj, P2,-; Pn} of proxy signers, a clerk Bob efPi, Pi,--, PJ, and a designated verifier Cindy. It 
consists of the following five phases: 

• Setup 

In this phase, PKG chooses a generator PgG u a random number sGZg* and computes Ppub = sP. 
PKG also chooses two cryptographic hash functions Hj: {0,1}* ^Gi, and H2 : {0,1}* xGi Zq. 
The system parameters fG; _ G2, P, Ppub, Hi, H2, e) are made public and '5' is kept secret with PKG. 

• Key generation 

A user ' If submits its identity IDu to PKG, which generates Smu = sQmu as the secret key and Qmu 
= Hi (IDiBu) is the public key of the user 

• Proxy key generation 

To delegate the signing capability to proxy signers, Alice generates the signed warrant on 
message 'm'. Each proxy signer generates the proxy key through the following protocol: 

> Alice chooses a random Zq* and computes U = rQjnc, h = H2(mw I lu), and V = HSida + U. 
Alice sends a = (niw, U, V) to each member Pi of the signer group PS. 

> Each Pi^PS accepts the signatures (J on m^ iffe(V, P) = e(QiDA, Ppubf ^(U, P). If valid, each Pj 
computes the proxy key Spi as Spi = hSmpi + V 
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• Multi-Proxy Signature Generation 

Each proxy signer Pi generates the partial signature and an appointed clerk Bob, who is one of the 
proxy signers, combines the partial proxy signature to generate the final designated verifier multi- 
proxy signatures. 

* " 

> Each Pi chooses tpi&Zg and computes Zp, = tpiQiDc, 2p = T^Zpi , and broadcast Z^, and then 

i=l 

each Pi computes H = H2(m^v I IZp), Xn = HSn + Zpj. (Zpu Xpf) is the partial signature of on 
the message 'm'. Each Pj sends Zp, to the clerk Bob. 

n . . 

> Bob computes Zp= Yj ^Pi ■> H = H2(mw I IZp) and for each 'i ' verifies the correctness of partial 



i = \ 



proxy signatures (Zpu Xpi) as e(Xpi, P) = e(QiDPi + Qida, Ppub/^ e(Zpi +HU, P) 

n 

Once all the partial proxy signatures are found correct, Bob computes X= '^Xpi . The valid 

i=l 

multi -proxy signature on message 'm' is a' = (ntw, Zp, X, U). 

• Multi-Proxy Signature Verification 

Cindy on receiving a' confirms the warrant rriw, computes H = H2(mw I IZp), and accepts ct as the 
valid multi-proxy signature iff 

e(X- nHU, Qjdc) e(t(QiDPi +Qida hSiocf" = e(Zp, Qidc) 
i=i 

• Correctness 

The verification of the multi -proxy signature is justified by the following equation: 
e(X- nHU. Qjnc) e(t(QiDPi +Qida hSmc)''" 

i=\ 

= e( t(Xpi)-nHU, QiDc)e(t(SjDPi +Sjda XQmc 

i=i i=i 

= e( t(HSp, +Zp^)-nHU, Qjnc) e(t(SjDPi +Sjda),Qidc 
i=i i=\ 

= e( t(H(V + hS^pJ) + Z,-nHU, Qjoc) e(t(SjoPi + S joa X Qidc f"" 
i=i i=i 

= e(t (H(U + hSjj,^ + hS^p, )) +Zp - nHU, Qinc)e(- t hH(S^p, + S^^ ), Q^c ) 

i=l i=l 

= e(Zp, Qjdc) 
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5. SECURITY ANALYSES 



> Prevention of misuse 

No proxy signer can use the proxy key for the purpose other than generating a vahd proxy 
signature, because of the use of warrant niw in the signatures. He can only sign messages that 
have been authorized by the original signer. 

> Proxy protected 

The original signer cannot create a valid multi proxy signature since each proxy key includes the 
private key Spi of each proxy signer. 

> Strong designated 

The designated verifier Cindy uses his secret to check the validity of the signatures. Moreover, 
Cindy is not able to convince anyone else of the signatures. Hence, scheme provides the 
strongness property. 

> Strong Unforgeability 

In our scheme, the clerk is one of the proxy signers but he has more power than other proxy 
signers. Assume that the clerk wants the proxy group to sign a fake message m' . He can change 
his Zpi and therefore Zp can be changed but fi-om the security of public one-way hash function 
H2 it is impossible for the clerk to get //'and X' such that (^m',mM;,H',X', is a valid multi- 
proxy signature. Moreover, no user can forge the multi-proxy signature because he cannot obtain 
more information than the clerk. 

6. COMPUTATION ASPECTS 

In this section we compare the computational efficiency of the Chen et al [1] scheme and the proposed 
scheme. We will check that how many computations are required to add the property of strong 
designated verifier to the Chen et al [1] scheme. 
(Table 1) 
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H = Hash, M = Multiplication, E = Exponential, P = Pairing, I = Inverse. 
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(Table 2) 



Schemes 


Comparison of Chen et al [4] and Scheme 3 
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5H+8M+3E+9P 


Chen's 


6H+5M+8E+8P 



From the above two tables we can get the following conclusions: 



> Only with the addition of one pairing we can add the concept of strong designated verifier to Chen et 
al [1] scheme. 

> Moreover, Chen et al [1] scheme requires one hash and five exponential more than our scheme. 
7. APPLICATIONS AND CONCLUSION 

Country 'X' is set to start a new project for developing a nuclear weapon with the assistance of a group 
of 'n' scientists. During their operation, they encountered a problem that can only be solved by Cindy, 
who is a scientist from country 'Y'. Here 'Y' is the country which has already produced the same 
nuclear weapon and Cindy was one of the members of scientist panel. But, 'X' fears that if they discuss 
their concerns with Cindy, she may leak the news that 'X' is producing a nuclear weapon. In such 
situations. Strong Designated Verifier Parallel Multi-Proxy Signature Scheme, as proposed in this 
Chapter, can be used to generate a digitally signed document that is signed by all the scientists. 

We proposed a new identity based strong designated verifier parallel multi-proxy signature 
scheme which is more efficient than ID-based multi -proxy signature scheme by Chen et al [1]. Our 
scheme has practical application in situations where the proxy-signature generated by specified group 
can only be verified by a single designated verifier. 
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